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Background 


The Information Commissioner is responsible for enforcing and promoting 
compliance with the UK General Data Protection Regulation (UK GDPR), 
the Data Protection Act 2018 (DPA18), the Privacy and Electronic 
Communications Regulations (PECR) and other data protection legislation. 
Section 146 of the DPA18 provides the Information Commissioner’s Office 
(ICO) with the power to conduct compulsory audits through the issue of 
assessment notices. Section 129 of the DPA18 allows the ICO to carry out 
consensual audits. The ICO sees auditing as a constructive process with 
real benefits for controllers and so aims to establish a participative 
approach. 


The ICO’s Investigations team ran an investigation between 2017 and 
2020 following a number of complaints received from data subjects via 
the Telephone Preference Service (TPS) and ICO’s own online reporting 
tool. The investigation was focussed on a organisations who were making 
marketing calls using a range of generic and fictitious company names or 
misusing the names of other genuine companies. By masking their true 
identity data subjects were prohibited from making complaints directly to 
these companies and their rights and freedoms provided in data 
protection legislation were significantly undermined. 


Jones Whyte LLP (JWL) did not form part of the initial investigation 
however, they were found to be a recipient of personal data obtained as a 
result of the unlawful collection and compiling of bulk marketing lists. The 
ICO wrote to JWL in August 2020 outlining their initial concerns, 
particularly in regard to PECR regulation 21. 


JWL provided responses to ICO enquiries over a further series of 
correspondence and also confirmed that they had implemented additional 
measures to improve their data protection practices. 


The ICO wrote to JWL in July 2021 to invite them to take part ina 
consensual audit. The audit took place during the week beginning 8 
November 2021. 


The scope of the audit covered the following key control areas: 


Governance 

Sourcing personal data 
Transparency 

Lawful basis for processing 
Data supply and sharing 


The purpose of the audit was to provide the Information Commissioner 
with an assurance of the extent to which JWL, within the scope of the 
audit, is complying with data protection legislation. 


Priority of recommendations summary 


Where opportunities for improvement were identified recommendations 
have been made, primarily around enhancing existing processes to 
facilitate compliance with data protection legislation. In order to assist 
JWL in implementing the recommendations, each has been assigned a 
priority rating based upon the risks that they are intended to address. The 
ratings are assigned based upon the ICO’s assessment of the risks 
involved. JWL’s priorities and risk appetite may vary and, therefore, they 
should undertake their own assessments of the risks identified. 


A summary of the ratings assigned within this report is shown below. 


Priority Ratings Summary 


u Urgent = High = Medium 


The pie chart above shows a breakdown of the priorities assigned to the 
recommendations made. There are 14 urgent, three high and one 
medium priority recommendations. 


Urgent priority recommendations are intended to address risks which 
represent clear and immediate risks to JWL’s ability to comply with the 
requirements of data protection legislation. 


Areas for Improvement 


The ICO are encouraged by the improvements to data protection practices 
made by JWL since the initial contact in August 2020 including; 


The restriction of engaging with suppliers involved in the buying and 
selling of personal data. 

The introduction of due diligence conducted on suppliers which 
provides some assurance that there use of personal data will be 
compatible with the purposes for which it was originally collected. 
Proactively restricting the amount of personal data processed to 
what is necessary. 

The introduction of risk management to JWL. 

The development of new data protection induction and training due 
for implementation in January 2021. 


However, the audit identified some areas where further improvements are 
required to achieve compliance with data protection legislation. 


Privacy information is not fully compliant with Article 13 of the 
UKGDPR and all relevant information is not available to data 
subjects at the time their personal data are collected. 

JWL do not have clearly defined and recorded lawful bases for 
processing personal data under Article 6 and 9 of the UK GDPR. 
The lack of a formal review and approval process for internal 
policies means that some contain inaccurate or out of date 
information. 

The rapid expansion of JWL means that they may not be meeting 
the obligations of Article 38 and 39 of the UK GDPR which requires 
appropriate support and resources being available to the DPO in 
order for them to meet all their legislative responsibilities. 
Retention periods have not been defined for all personal data 
processed by JWL in relation to enquiries to the firm. 


Appendices 


Appendix One - Recommendation Priority Ratings Description 


Urgent Priority Recommendations - 


These recommendations are intended to address risks which 
represent clear and immediate risks to the data controller’s ability 
to comply with the requirements of data protection legislation. 


The matters arising in this report are only those that came to our attention 
during the course of the audit and are not necessarily a comprehensive 
statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, 
governance and internal control arrangements in place rest with the 
management of Jones Whyte LLP. 


This report is solely for the use of JWL. The scope areas and controls covered 
by the audit have been tailored to JWL and as a result, the audit report is not 
intended to be used in comparison with other ICO audit reports. We take all 
reasonable care to ensure that our audit report is fair and accurate but cannot 
accept any liability to any person or organisation, including any third party, for 
any loss or damage suffered or costs incurred by it arising out of, or in 
connection with, the use of this report, however such loss or damage is 
caused. We cannot accept liability for loss occasioned to any person or 
organisation, including any third party, acting or refraining from acting as a 
result of any information contained in this report. 


